php-martin Posted July 18, 2005 Share Posted July 18, 2005 First off, I'm not sure this is the right place to post this message - if so, sorry. We are receiving hundreds of messages containing viruses that appear to be coming from ourselves. They have non-existant account names, but with our domain - ie support[at]php-architects tech[at]php-architexts webmaster[at]php-architects your.account[at]php-architects etc. Typical header is shwon below. Our service provider is sending us warnings for sending out viruses too. We've checked our server / workstations for viruses, and even disabled our server from sending mails - but are still receiving them. Has our email server been hacked - or is there anything we can do to block them ? Many thanks Martin Return-Path: <mail[at]php-architects.co.uk> Delivery-Date: Thu, 14 Jul 2005 01:57:14 +0100 Received: from c2bthimr04.btconnect.com (actually host 204.73.73.194.in-addr.arpa) by dswu231.btconnect.com with SMTP-IBMR (XT-PP) with ESMTP; Thu, 14 Jul 2005 01:57:07 +0100 Received: from php-architects.co.uk (rrcs-65-34-29-246.se.biz.rr.com [65.34.29.246]) by c2bthimr04.btconnect.com (MOS 3.5.8-GR) with ESMTP id BJI13382; Thu, 14 Jul 2005 01:57:05 +0100 (BST) Message-Id: <200507140057.BJI13382[at]c2bthimr04.btconnect.com> From: mail[at]php-architects.co.uk To: jimmy[at]php-architects.co.uk Subject: Members Support Date: Wed, 13 Jul 2005 20:57:12 -0400 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal Content-Type: multipart/mixed; boundary="MIRAPOINT_PART1_42d5b864" X-Mirapoint-Virus: VIRUSDELETED; host=c2bthimr04.btconnect.com; attachment=[2.2]; virus=W32/Mytob-DG This is a multi-part message in MIME format. --MIRAPOINT_PART1_42d5b864 Content-Type: text/plain; charset=UTF-8 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Virus warning from BT Business This message contained a computer virus which has been detected and removed by the BT Business Email Virus Filter to avoid infecting your computer. You may wish to contact the sender of this email requesting they remove any virus infection from their PC before re-sending the email and any attachment to you, virus-free. Attachment: rrv.zip Problem: virus infected W32/Mytob-DG Action taken: deleted Link to comment Share on other sites More sharing options...
agsteele Posted July 18, 2005 Share Posted July 18, 2005 Has our email server been hacked - or is there anything we can do to block them ? 30341[/snapback] Hi Martin! I doubt your server has been hacked. You say you've checked and can find no indication of the messages having gone out from your system which is a good thing. Much more likely is that somebody else has found their PC infected and their PC is sending this junk to you. These viruses/trojans are now harvesting domain names from infected machines and then sending copies of the virus to a range of common usernames such as postmaster, admin, support etc etc etc. The fact that the destinations you have seen do not exist supports this in your case. You simply need to remind your users not to open such messages and double check you are properly protected again viruses and have adequate outgoing firewall protection just in case someone does open an Email attachment in error. As for blocking them... I guess you'd need to set up Email filtering on messages addressed to these non-existent addresses. Andrew Link to comment Share on other sites More sharing options...
php-martin Posted July 18, 2005 Author Share Posted July 18, 2005 Many thanks for the quick reply Andrew. We're up to date with our fire-wall and Virus protection right across our network. I'll put a filter on our email server to cut these messages out - I was worried that they were coming from within. Just wondering why we are getting warnings from our ISP for sending viruses though ? Even though these messages may originate from elsewhere, would they still trigger our ISP to warn us for sending viruses ? thanks, Martin Link to comment Share on other sites More sharing options...
Miss Betsy Posted July 18, 2005 Share Posted July 18, 2005 Just wondering why we are getting warnings from our ISP for sending viruses though ? Even though these messages may originate from elsewhere, would they still trigger our ISP to warn us for sending viruses ? thanks, Martin 30343[/snapback] The Mytob (and others) viruses are made to look like they are coming from your ISP with a warning. If you can get the headers without opening the email, then you can cut and paste them into the SpamCop web parser and find out the IP address where they are coming from and notify that administrator. (or sign up for a free SpamCop reporting account and report them). Smaller ISPs will stop them immediately. It can take up to a month for larger ISPs. The only way I know to get headers without opening is in Outlook Express (doesn't work in Outlook). Right click on email->Properties-> Details->Message Source. You don't have to copy the attachment. And do not forward a 'live' virus as a report; delete the viral attachment. My anti virus deletes the attachment and puts the name of the virus in the email so my subject line is "xxxx virus via xxx.xxx.xx.xx IP address" However, don't send reports to who they suggest. Miss Betsy Link to comment Share on other sites More sharing options...
Jeff G. Posted July 18, 2005 Share Posted July 18, 2005 It appears that, in this particular case, the infected computer is rrcs-65-34-29-246.se.biz.rr.com [65.34.29.246], the worm is being allowed to relay through your server c2bthimr04.btconnect.com [194.73.73.204] to your smarthost dswu231.btconnect.com, and BT is taking exception. Please see the details at http://www.spamcop.net/sc?id=z787232248zae...e33080e096d900z, close the relay, and report this particular worm to abuse[at]rr.com. It could also be that your host c2bthimr04.btconnect.com [194.73.73.204] is actually the one that is infected, as it doesn't seem to be running a mailserver at this time. Thanks! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.